def do_post(request, *args, **kwargs): """ Change password :param username: users username, string, True :param password: users password, string, True :return: 200, OK :return: 404 """ log = request.log _db = get_md2db() dbc = _db.cursor() # TODO: check users token try: newpassword = request.get_argument('newpassword') except tornado.web.MissingArgumentError: log.critical('Missing argument password') return base_common.msg.error(msgs.MISSING_REQUEST_ARGUMENT) # CHANGE PASSWORD FROM FORGOT PASSWORD FLOW h2p = get_url_token(request, log) if h2p and len(h2p) > 60: rh = BaseAPIRequestHandler(log) rh.set_argument('hash', h2p) rh.r_ip= request.r_ip res = base_api.hash2params.retrieve_hash.do_get(rh) if 'http_status' not in res or res['http_status'] != 200: return base_common.msg.error(msgs.PASSWORD_TOKEN_EXPIRED) username = res['username'] else: # TRY TO CHANGE PASSWORD FROM USER CHANGE REQUEST tk = request.auth_token if not authorized_by_token(dbc, tk, log): return base_common.msg.error(msgs.UNAUTHORIZED_REQUEST) username, oldpwdhashed, user_id = get_user_by_token(dbc, tk, log) if not username: log.critical('User not found by token') return base_common.msg.error(msgs.UNAUTHORIZED_REQUEST) try: oldpassword = request.get_argument('oldpassword') except tornado.web.MissingArgumentError: log.critical('Missing argument oldpassword') return base_common.msg.error(msgs.MISSING_REQUEST_ARGUMENT) if not check_password(oldpwdhashed, username, oldpassword): log.critical("Passwords don't match, entered : {}".format(oldpassword)) return base_common.msg.error(msgs.WRONG_PASSWORD) # UPDATE USERS PASSWORD password = format_password(username, newpassword) uq = "update users set password = '******' where username = '******'".format( password, username ) try: dbc.execute(uq) except Exception as e: log.critical('Change password: {}'.format(e)) return base_common.msg.error(msgs.USER_PASSWORD_CHANGE_ERROR) _db.commit() return base_common.msg.post_ok(msgs.USER_PASSWORD_CHANGED)
def do_get(request, *args, **kwargs): """ Change password :param username: users new username, string, True :param password: users password, string, True :return: 200, OK :return: 404 """ log = request.log _db = get_md2db() dbc = _db.cursor() h2p = get_url_token(request, log) if not h2p or len(h2p) < 64: log.critical('Wrong or expired token {}'.format(h2p)) return base_common.msg.error(msgs.WRONG_OR_EXPIRED_TOKEN) rh = BaseAPIRequestHandler(log) rh.set_argument('hash', h2p) rh.r_ip = request.r_ip res = base_api.hash2params.retrieve_hash.do_get(rh) if 'http_status' not in res or res['http_status'] != 200: return base_common.msg.error(msgs.PASSWORD_TOKEN_EXPIRED) try: user_id = res['user_id'] newusername = res['newusername'] password = res['password'] except KeyError as e: log.critical('Missing hash parameter: {}'.format(e)) return base_common.msg.error(msgs.TOKEN_MISSING_ARGUMENT) q = '''select username from users where id = '{}' '''.format(user_id) try: dbc.execute(q) except IntegrityError as e: log.critical('Error fetching user: {}'.format(e)) return base_common.msg.error(msgs.USER_NOT_FOUND) if dbc.rowcount != 1: log.critical('Users found {}'.format(dbc.rowcount)) return base_common.msg.error(msgs.USER_NOT_FOUND) dbu = dbc.fetchone() passwd = format_password(newusername, password); q1 = '''update users set username = '******', password = '******' where id = '{}' '''.format(newusername, passwd, user_id) try: dbc.execute(q1) except IntegrityError as e: log.critical('Error updating user: {}'.format(e)) return base_common.msg.error(msgs.USER_UPDATE_ERROR) _db.commit() message = _get_email_message() # SAVE EMAILS FOR SENDING rh1 = BaseAPIRequestHandler(log) rh1.set_argument('sender', support_mail) rh1.set_argument('receiver', newusername) rh1.set_argument('message', message) res = base_api.mail_api.save_mail.do_put(rh1) if 'http_status' not in res or res['http_status'] != 204: return base_common.msg.error(msgs.CANNOT_SAVE_MESSAGE) return base_common.msg.post_ok(msgs.USER_NAME_CHANGED)
def do_get(request, *args, **kwargs): """ Change password :param username: users new username, string, True :param password: users password, string, True :return: 200, OK :return: 404 """ log = request.log _db = get_db() dbc = _db.cursor() h2p = get_url_token(request, log) if not h2p or len(h2p) < 64: log.critical('Wrong or expired token {}'.format(h2p)) return base_common.msg.error(msgs.WRONG_OR_EXPIRED_TOKEN) rh = BaseAPIRequestHandler(log) rh.set_argument('hash', h2p) rh.r_ip = request.r_ip res = base_api.hash2params.retrieve_hash.do_get(rh) if 'http_status' not in res or res['http_status'] != 200: return base_common.msg.error(msgs.PASSWORD_TOKEN_EXPIRED) try: user_id = res['user_id'] newusername = res['newusername'] password = res['password'] except KeyError as e: log.critical('Missing hash parameter: {}'.format(e)) return base_common.msg.error(msgs.TOKEN_MISSING_ARGUMENT) q = '''select username from users where id = '{}' '''.format(user_id) try: dbc.execute(q) except IntegrityError as e: log.critical('Error fetching user: {}'.format(e)) return base_common.msg.error(msgs.USER_NOT_FOUND) if dbc.rowcount != 1: log.critical('Users found {}'.format(dbc.rowcount)) return base_common.msg.error(msgs.USER_NOT_FOUND) dbu = dbc.fetchone() passwd = format_password(newusername, password) q1 = '''update users set username = '******', password = '******' where id = '{}' '''.format( newusername, passwd, user_id) try: dbc.execute(q1) except IntegrityError as e: log.critical('Error updating user: {}'.format(e)) return base_common.msg.error(msgs.USER_UPDATE_ERROR) _db.commit() message = _get_email_message() # SAVE EMAILS FOR SENDING rh1 = BaseAPIRequestHandler(log) rh1.set_argument('sender', support_mail) rh1.set_argument('receiver', newusername) rh1.set_argument('message', message) res = base_api.mail_api.save_mail.do_put(rh1) if 'http_status' not in res or res['http_status'] != 204: return base_common.msg.error(msgs.CANNOT_SAVE_MESSAGE) return base_common.msg.post_ok(msgs.USER_NAME_CHANGED)
def do_post(request, *args, **kwargs): """ Change password :param newpassword: users newpassword, string, True :param oldpassword: old password if user logged, string, True :return: 200, OK :return: 404 """ log = request.log _db = get_db() dbc = _db.cursor() # TODO: check users token try: newpassword = request.get_argument('newpassword') except tornado.web.MissingArgumentError: log.critical('Missing argument password') return base_common.msg.error(msgs.MISSING_REQUEST_ARGUMENT) # CHANGE PASSWORD FROM FORGOT PASSWORD FLOW h2p = get_url_token(request, log) if h2p and len(h2p) > 60: rh = BaseAPIRequestHandler(log) rh.set_argument('hash', h2p) rh.r_ip = request.r_ip res = base_api.hash2params.retrieve_hash.do_get(rh) if 'http_status' not in res or res['http_status'] != 200: return base_common.msg.error(msgs.PASSWORD_TOKEN_EXPIRED) username = res['username'] else: # TRY TO CHANGE PASSWORD FROM USER CHANGE REQUEST tk = request.auth_token if not authorized_by_token(dbc, tk, log): return base_common.msg.error(msgs.UNAUTHORIZED_REQUEST) # username, oldpwdhashed, user_id = get_user_by_token(dbc, tk, log) dbuser = get_user_by_token(dbc, tk, log) if not dbuser.username: log.critical('User not found by token') return base_common.msg.error(msgs.UNAUTHORIZED_REQUEST) try: oldpassword = request.get_argument('oldpassword') except tornado.web.MissingArgumentError: log.critical('Missing argument oldpassword') return base_common.msg.error(msgs.MISSING_REQUEST_ARGUMENT) if not check_password(dbuser.password, dbuser.username, oldpassword): log.critical( "Passwords don't match, entered : {}".format(oldpassword)) return base_common.msg.error(msgs.WRONG_PASSWORD) username = dbuser.username # UPDATE USERS PASSWORD password = format_password(username, newpassword) uq = "update users set password = '******' where username = '******'".format( password, username) try: dbc.execute(uq) except Exception as e: log.critical('Change password: {}'.format(e)) return base_common.msg.error(msgs.USER_PASSWORD_CHANGE_ERROR) _db.commit() return base_common.msg.post_ok(msgs.USER_PASSWORD_CHANGED)
def do_post(**kwargs): """ Change password """ _db = get_db() dbc = _db.cursor() request = kwargs['request_handler'] try: newpassword = request.get_argument('newpassword') except tornado.web.MissingArgumentError: log.critical('Missing argument password') return base_common.msg.error(msgs.MISSING_REQUEST_ARGUMENT) # CHANGE PASSWORD FROM FORGOT PASSWORD FLOW h2p = get_url_token(request) if h2p and len(h2p) > 60: rh = BaseAPIRequestHandler() rh.set_argument('hash', h2p) rh.r_ip = request.r_ip kwargs['request_handler'] = rh res = base_api.hash2params.retrieve_hash.do_get(h2p, False, **kwargs) if 'http_status' not in res or res['http_status'] != 200: return base_common.msg.error(msgs.PASSWORD_TOKEN_EXPIRED) username = res['username'] else: # TRY TO CHANGE PASSWORD FROM USER CHANGE REQUEST tk = request.auth_token if not authorized_by_token(_db, tk): return base_common.msg.error(msgs.UNAUTHORIZED_REQUEST) dbuser = get_user_by_token(_db, tk) if not dbuser.username: log.critical('User not found by token') return base_common.msg.error(msgs.UNAUTHORIZED_REQUEST) try: oldpassword = request.get_argument('oldpassword') except tornado.web.MissingArgumentError: log.critical('Missing argument oldpassword') return base_common.msg.error(msgs.MISSING_REQUEST_ARGUMENT) if not check_password(dbuser.password, dbuser.username, oldpassword): log.critical("Passwords don't match, entered : {}".format(oldpassword)) return base_common.msg.error(msgs.WRONG_PASSWORD) username = dbuser.username # UPDATE USERS PASSWORD password = format_password(username, newpassword) uq = "update users set password = '******' where username = '******'".format( password, username ) try: dbc.execute(uq) except Exception as e: log.critical('Change password: {}'.format(e)) return base_common.msg.error(msgs.USER_PASSWORD_CHANGE_ERROR) _db.commit() return base_common.msg.post_ok(msgs.USER_PASSWORD_CHANGED)